Security Experts Insight On Nissan Source Code Leaked

Nissan North America has had the source code of mobile apps and internal tools leaked online after misconfiguring one of its Git Servers. The Git Server has default username and password (admin/admin) and is now taken offline. The Nissan is investigating the leak. Offering insight on the story are the following cybersecurity professionals.

Experts Comments

January 11, 2021
Avi Shua
CEO and Co-founder
Orca Security

Using weak authentication is a huge security mistake for organizations that can have serious ramifications, including potentially leaking intellectual property, as we’ve seen with the Nissan source code exposure. Unfortunately, authentication issues are commonplace as our recent State of Public Cloud Security Report found that 5.3 percent of organizations have at least one workload accessible using either a weak or leaked password. Multi-factor authentication (MFA) is an essential tool to help

.....Read More

Using weak authentication is a huge security mistake for organizations that can have serious ramifications, including potentially leaking intellectual property, as we’ve seen with the Nissan source code exposure. Unfortunately, authentication issues are commonplace as our recent State of Public Cloud Security Report found that 5.3 percent of organizations have at least one workload accessible using either a weak or leaked password. Multi-factor authentication (MFA) is an essential tool to help combat this challenge, but it is also being underutilized by organizations. Our research found that 23.5 percent of organizations aren’t using MFA to protect their high-risk accounts with super admin users. Strong authentication is key for organizations to conduct business in the digital economy, and critical breaches will continue to occur as long as hackers can easily find and exploit weak links.

  Read Less
January 07, 2021
Mark Bower
Senior Vice President
comforte AG

Modern connected cars with convenient features like remote unlock, remote start require at least a 4 digit PIN to do it and strong authentication to use them. It’s curious then why the alleged source code repository for the backend and front-end for this technology wasn’t protected with an equally bare minimum security method. This is a classic example of the security being only as good as the weakest link – most likely in this case down to both human error and lack of process for risk

.....Read More

Modern connected cars with convenient features like remote unlock, remote start require at least a 4 digit PIN to do it and strong authentication to use them. It’s curious then why the alleged source code repository for the backend and front-end for this technology wasn’t protected with an equally bare minimum security method. This is a classic example of the security being only as good as the weakest link – most likely in this case down to both human error and lack of process for risk scanning of critical infrastructure for vulnerable credentials and effective data security”.

The recent Solarwinds situation should have prompted organisations across industry to be revisit their supply chain security, data security and authentication as a matter of priority – including any internet facing or cloud components. Access to code for potential core IoT/connected car applications opens up a raft of potential vulnerability exploits for attackers, if the claims of the full source code dump circulating on twitter are indeed true. Connected systems at the edge, including automotive components, are not always simple to update at a firmware level to address new threats, requiring dealership processes. This means any discovered exploits such as vulnerable TCP/IP stacks, credential management and offline authentication methods in the connected path to the vehicle’s bevvy of connected devices may indeed become targets for attacker analysis and compromise, made easier with access to source code.

  Read Less
January 07, 2021
Martin Jartelius
CSO
Outpost24

It is a basic security control to change the vendor default passwords whenever a system is deployed. From the nature of the content, this should be a production system and reviewed prior to having the source code uploaded. This basic control forms part of most organizations ISMS standards, i.e. ISO27001 policies and regulations internally. As Nissan Japan had their 9001 certificate revoked in 2017 by authorities it is not the first time the successful implementation of good plans and strategies

.....Read More

It is a basic security control to change the vendor default passwords whenever a system is deployed. From the nature of the content, this should be a production system and reviewed prior to having the source code uploaded. This basic control forms part of most organizations ISMS standards, i.e. ISO27001 policies and regulations internally. As Nissan Japan had their 9001 certificate revoked in 2017 by authorities it is not the first time the successful implementation of good plans and strategies has not reached all the way to execution in the large organization.

  Read Less

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.